include "../../MachO.yara"

rule malware_macos_proton_rat_generic
{
    meta:
        description = "https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/"
        reference = "https://objective-see.com/blog/blog_0x1D.html"
        author = "@mimeframe"
        md5 = "6a2d0c8b20efc3fa283176a4bc76d6fd"
    strings:
        // https://github.com/facebook/SocketRocket
        $a1 = "SRWebSocket"  nocase wide ascii
        $a2 = "SocketRocket"  nocase wide ascii
        // https://github.com/joeroback/SSHTunnel/
        $b1 = "SSH tunnel not launched" nocase wide ascii
        $b2 = "SSH tunnel still running" nocase wide ascii
        $b3 = "SSH tunnel already launched" nocase wide ascii
        $b4 = "Entering interactive session." nocase wide ascii
    condition:
        MachO and any of ($a*) and any of ($b*)
}
